Corporate governance of IT must evolve as the role of IT is shifting. The Dutch Corporate Governance Monitoring Committee recently proposed to include IT governance and risk management in the responsibilities of the Board's audit committee. This appears as an anachronistic view of the role of IT in the enterprise. Additionally, it can even backfire on the good intentions of the Committee to improve risk management of IT.
The Committee ought to leave this specific “best practice” provision out when composing the new code. For boards though there’s no excuse: ‘digital’ growth opportunities require a different kind of (IT) governance.
Corporate Governance Codes (CGCs) have emerged in the wake of large scandals that damaged our collective confidence in large enterprises. As a consequence, these first Codes focused on ensuring accuracy in financial reporting and compliance with legislation. When new types of risk surfaced with the financial crisis, the public debate called for a broader perspective on risk in the CGCs. Therefore it’s no surprise that the Dutch Corporate Governance Code Monitoring Committee dedicated a new section to risk management reinforcement when recently tasked with updating the existing code.
Traditionally, the audit committee has been the place in the board to monitor and discuss risks. The Dutch Committee proposed to broaden the duties and responsibilities of the audit committee to include monitoring of the “risk management conducted by the management board”. And it stipulated (amongst others) that, when doing this, the audit committee “should in any event focus on monitoring the management board with regard to [...] the application of information and communication technology of the company.”
This seems to be an anachronistic view of the role of IT in the enterprise. Additionally, it can even backfire on the good intentions of the Committee to improve risk management of IT.
The perspective is increasingly held that IT -and other technologies- can create significant additional value in most industries. Surely there’s risk involved -and potentially even more disruptive in nature- but risk management related to IT is shifting fundamentally from avoiding the (tactical) downsides to capturing the (strategic) upsides. The audit committee is certainly not the best place to govern such a shift effectively.
IT is on the agenda of the audit committee already, but mostly when evaluating the quality of financial systems and controls. The discussions entertained in the audit committee differ greatly from what is required to monitor the organisation’s strategies and steps towards an increasingly digital world. An audit committee’s agenda focuses traditionally as well as formally on the areas of financial control, audit and reporting.
Furthermore, ever increasing and expanding demands are placed on this control and compliance oriented task. As a consequence “most boards are stuck in a time warp” and “directors find themselves in the very role they have long tried to avoid: that of micro-manager”. Quotes from Harvard professors Lorsch and Clark, made already in 2008. And here’s the key concern they voiced: “To us, the irony here is that as directors have become more hands-on in the area of compliance, they’ve become more hands-off in the area of long-range planning, which exposes shareholders to another -potentially greater- kind of risk.”
There is another challenge and it is coming from an unexpected angle. With IT anchored more firmly at the audit committee, the board may consider the CFO to be the most appropriate -practical- reporting line for the CIO. And herein lies a caveat. Research firm Gartner periodically surveys the reporting lines of CIOs and the accompanying rationale from a CEO perspective. In 2014, when asked why the CIOs in their organisations report to the CFOs, the CEOs who chose to do so, label IT as “support and not strategic” for their companies. Quite different from CEOs who label IT as “mission critical” or “strategic” for their organisations - and therefore selected a different reporting line for the CIO.
If IT is framed firmly as part of the risk and control dimension of the organisation, and if it gets discussed primarily with the financial board members and with the auditors, then the risk grows that the attitudes of senior executives towards IT get locked into a mostly “support and not strategic” perspective. To paraphrase Lorsch and Clark: “which exposes stakeholders to a potentially greater kind of risk.”
In conclusion, the Dutch Committee ought to leave this specific “best practice” provision out when composing the new CGC. They can do so without much risk: if organisations do not address IT or technology risks sufficiently at the board level, stakeholders already have opportunities to speak up. And, if justified, they may -and board members are very much aware- get a court to rule in their favour even in the absence of an explicit paragraph on IT risk management in the CGC.
For boards though there’s no excuse. ‘Digital’ growth opportunities require a different kind of (IT) governance. And with the new types of risk (and opportunities!), the organisation should redesign how it governs these.